search

askimed / nf-test

Simple test framework for Nextflow pipelines
https://www.nf-test.com
MIT License
146 stars 23 forks source link

Request: Vulnerability fix #230

Closed SimonDMurray closed 4 months ago

SimonDMurray commented 4 months ago

Following the inclusion of nf-test with NextFlow (24.04.2) and Java (21) in a container that I am building, a scan of the container detected three issues with nf-test.jar, below is the security report generated by trivy 0.51.1:

Would it be possible to apply the relevant patches to nf-test?

Many thanks for your assistance with this.

Java (jar)

Total: 4 (HIGH: 3, CRITICAL: 1)

┌───────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────┐
│                    Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version      │                          Title                           │
├───────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-classic (nf-test.jar)  │ CVE-2023-6378  │ HIGH     │ fixed  │ 1.4.11            │ 1.3.12, 1.4.12, 1.2.13 │ logback: serialization vulnerability in logback receiver │
│                                               │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-6378                │
├───────────────────────────────────────────────┤                │          │        │                   │                        │                                                          │
│ ch.qos.logback:logback-core (nf-test.jar)     │                │          │        │                   │                        │                                                          │
│                                               │                │          │        │                   │                        │                                                          │
├───────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-text (nf-test.jar) │ CVE-2022-42889 │ CRITICAL │        │ 1.9               │ 1.10.0                 │ apache-commons-text: variable interpolation RCE          │
│                                               │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-42889               │
├───────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
lukfor commented 4 months ago

Thanks. I updated logback to 1.5.6. This should fix these security issues. This fix will be part of the next release.

lukfor commented 4 months ago

PR #233 fixes the commons-text vulnerability.